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1. Purpose 
1.1. Bar Hill Community Association (BHCA) (henceforth "the charity") will ensure that all personal 

data that it holds will be: 

1.1.1. Processed lawfully, fairly and in a transparent manner; 

1.1.2. collected for specified, explicit and legitimate purposes and not further processed 
in a manner that is incompatible with those purposes; 

1.1.3. adequate, relevant and limited to what is necessary; 

1.1.4. accurate and kept up to date; 

1.1.5. kept in a form which permits identification of data subjects for no longer than is 
necessary; 

1.1.6. processed in a manner that ensures appropriate security of the personal data, 
including protection against unauthorised or unlawful processing and accidental loss, 
destruction or damage. 


2. Introduction to the UK-GDPR 
2.1. Under the United Kingdom General Data Protection Regulations (UKGDPR), the Charity must 
comply with the UK-GDPR and undertakes to do so. 
2.2. Throughout this policy document, numbers prefixed by "Art: "in brackets (e.g.: {Art:5}) refer 
to the relevant Article(s) in the UK-GDPR, as modified by the Keeling Schedule. 
2.3. This policy covers all Trustees, Volunteers, and Employees of the Charity. 


3. Definitions {Précised from Art:4} 
3.1. Data Subject 
3.1.1. A data subject is an identifiable person about whom the Charity holds personal 
data. 
3.2. Contact Information 
3.2.1. For this policy, "Contact Information" could mean any of a person's: 
Biel ls full name (as well as any preferences about how they like to be called, 
including pronouns, titles, and suffixes), 
3.2.1.2. full postal address, 
3.2.1.3. telephone (including mobile) number(s), 
3.2.1.4. e-mail address(es), and 
3.2.1.5. social media IDs/ Usernames (e.g. Facebook, Skype, Hangouts, WhatsApp) 


4. Principles of the UK-GDPR {Précised from Art:5} 
4.1. The Charity will ensure that all personal data that it holds will be: 

4.1.1. Processed lawfully, fairly and in a transparent manner, 

4.1.2. Collected only for specified, explicit and legitimate purposes. Further processing 
for archiving purposes in the public interest, scientific or historical research purposes or 
statistical purposes shall not be incompatible with the initial purposes, 

4.1.3. Adequate, relevant and limited to what is necessary for the purposes for which they 
are processed, 


4.1.4. Accurate and, where necessary, kept up to date. Trustees must ensure that 
personal data is inaccurate, is held for a specific purpose, and after it is no longer 
required, is erased without delay, 

4.1.5. Kept in a form which permits identification of data subjects for only so long as the 
purpose for which the data was collected applies; 

4.1.5.1. The Charity may store personal data for more extended periods insofar as the 
personal data will be processed solely for archiving purposes in the public interest, 
scientific or historical research purposes or statistical purposes subject to the 
implementation of the appropriate technical and organisational measures required 
by the UK-GDPR to safeguard the rights and freedoms of individuals, and 

4.1.5.2. It is processed in a manner that ensures appropriate security of the personal 
data, including protection against unauthorised or unlawful processing and 
accidental loss, destruction or damage, using appropriate technical or 
organisational measures. 


Lawful Processing {Précised from Art:6} 

5.1. The Charity will obtain, hold and process all personal data under the UK-GDPR for lawful 
purposes. In all cases, the information collected, held and processed will include Contact 
Information (as defined above). 

5.2. By Consent 

5.2.1. People interested in and who wish to be kept informed of Charity's activities. 

5.2.2. Subject to the person's consent, this may include information selected and 
forwarded by the Charity on activities by other organisations relevant to the Charity. 
Note: this will not involve providing the person's data to another organisation. 

5.2.3: The information collected may additionally contain details of any particular areas of 
interest about which the person wishes to be kept informed. 

5.2.4. The information provided will be held and processed solely to provide the 
information requested by the person. 

5.3. By Contract 


5.3.1. People who sell goods and/or services to and/or purchase goods and/or services 
from the Charity. 

5.3.2. The information collected will additionally contain details of: 

5.3.3. The goods/services being sold to or purchased from the Charity; 

5.3.4. Bank and other details necessary and relevant to the making or receiving payments 
for the goods/services being sold to or purchased from the Charity. 

5.3.5. The information provided will be held and processed solely to manage the contract 


between the Charity and the person for the supply or purchase of goods/services. 
5.4. By Legal Obligation 
5.4.1. People where there is a legal obligation on the Charity to collect, process, and 
share information with a third party — e.g. the legal obligations to collect, process, and 
share with HM Revenue & Customs payroll information on employees of the Charity. 
5.4.2. The information provided will be held, processed and shared with others solely to 
meet legal obligations. 
5.5. By Vital Interest 
oS Fa Ie The Charity undertakes no activities requiring collecting, holding and/or processing 
personal information for reasons of vital interest. 
5.6. By Public Task 
5.6.1. The Charity undertakes no public tasks requiring collecting, holding and/or 
processing personal information. 
5.7. Legitimate Interest 
5.7.1. Volunteers, including Trustees 
oy iy ba To be able to operate efficiently, effectively and economically, it is in the 
legitimate interests of the Charity to hold such personal information on its 
volunteers and trustees as will enable the Charity to communicate with its 
volunteers on matters relating to the operation of the Charity, e.g.: 


or ga a a The holding of meetings; 

SiN: providing information about the Charity's activities — particularly those 
activities which, by their nature, are likely to be of particular interest to 
individual volunteers/trustees; 


5.7.1.1.3. seeking help, support and advice from volunteers/trustees, particularly 
where they have specific knowledge and experience; 
B71 1.4. ensuring that any particular needs of the volunteer/trustee are 


appropriately and sensitively accommodated when organising meetings and 
other activities of the Charity. 

5.7.2. Closed Circuit TV (CCTV) Recording 

57.2.1. The Charity does not collect and store CCTV imagery of any kind 
Individual Rights 
6.1. The right to be informed {Précised from Arts: 12-14} 

6.1.1. When collecting personal information the Charity will provide to the data subject, 
free of charge, a Privacy Policy written in clear and plain language which is concise, 
transparent, intelligible and easily accessible containing the following information: 

6.1.2. Identity and contact details of the Controller 

6.1.2.1. Note: Their contact details should also be included when the organisation has 
a controller's representative and/or a data protection officer. 

6.1.2.2. Purpose of the processing and the lawful basis for the processing 

6.1.2.3. The legitimate interests of the Controller or third party, where applicable 

6.1.2.4. Categories of personal data; Not applicable if the data are obtained directly 
from the data subject 


6.1.2.5. Any recipient or categories of recipients of the personal data 
6.1.2.6. Details of transfers to third countries and safeguards 

6.1.2.7. Retention period or criteria used to determine the retention period 
6.1:2.8; The existence of each of the data subject's rights 

6.1.2.9. The right to withdraw consent at any time, where relevant 


6.1.2.10. |The right to complain to a supervisory authority 

6.1.2.11. | The source of personal data and whether it came from publicly accessible 
sources. Not applicable if the data are obtained directly from the data subject 

6.1.2.12. | Whether the provision of personal data is part of a statutory or contractual 
requirement or obligation and the possible consequences of failing to provide the 
personal data. Not applicable if the data are NOT obtained directly from the data 
subject 

6.1.2.13. The existence of automated decision-making, including profiling and 
information about how decisions are made, as well as the significance and 


consequences. 

6.1.3. In the case of data obtained directly from the subject, the information will be 
provided when the data are obtained. 

6.1.4. In the case that the data are not obtained directly from the data subject, the 


information will be provided within a reasonable period of the Charity having obtained 
the data (within one month) or, if the data are used to communicate with the data 
subject, at the latest, when the first communication takes place; or if disclosure to 
another recipient is envisaged, at the latest, before the data are disclosed. 

6.2. The right of access {Précised from Art:15} 

6.2.1. The data subject shall have the right to obtain from the controller confirmation as to 
whether or not personal data concerning them are being processed, and, where that is 
the case, access to their data and the information detailed in the Charity's relevant 
Privacy Policy: 

6.3. The right to rectification {Précised from Art:16} 

6.3.1. The data subject shall have the right to require the Controller to rectify any 

inaccurate or incomplete personal data concerning them without undue delay. 
6.4. The right to erase {The right to be forgotten} {Précised from Art:17} 


6.4.1. Except where the data are held for a legal obligation or public task, the data subject 
shall have the right to require the Controller without undue delay to erase any personal 
data concerning them. 

6.5. The right to restrict processing {Précised from Art:18} 

6.5.1. Where there is a dispute between the data subject and the Controller about the 
accuracy, validity or legality of data held by the Charity, the data subject shall have the 
right to require the Controller to cease processing the data for a reasonable period to 
allow the dispute to be resolved. 

6.6. The right to data portability {Précised from Art:20} 

6.6.1. Where data are held for purposes of consent or contract. The data subject shall 
have the right to require the Controller to provide them with a copy in a structured, 
commonly used, and machine-readable format of the data they have provided to the 
Controller and have the right to transmit those data to another controller without 
hindrance. 

6.7. The right to object {Précised from Art:21} 

6.7.1. The data subject shall have the right to object, on grounds relating to their 
particular situation, at any time to process personal data concerning them which is 
based on Public Task or Legitimate Interest, including profiling based on those 
provisions. The Controller shall no longer process the personal data unless the 
Controller demonstrates compelling legitimate grounds for the processing which 
override the interests, rights and freedoms of the data subject or for the establishment, 
exercise or defence of legal claims. 

6.7.2. Where personal data are processed for direct marketing purposes, the data subject 
shall have the right to object at any time to the processing of personal data concerning 
them for such marketing, which includes profiling to the extent that it is related to such 
direct marketing. 

6.7.3. Where the data subject objects to processing for direct marketing purposes, the 
personal data shall no longer be processed for such purposes. 

6.7.4. At the latest, at the time of the first communication with the data subject, the right 
referred to previously shall be explicitly brought to the attention of the subject and 
presented clearly and separately from any other information. 

6.8. Rights concerning automated decision making and profiling {Précised from Art:22} 

6.8.1. Except where it is: a) based on the data subject's explicit consent or necessary for 
entering into, or performance of, a contract between the data subject and a data 
controller; the data subject shall have the right not to be subject to a decision based 
solely on automated processing, including profiling, which produces legal effects 
concerning them or similarly significantly affects them. 


Operational Policies & Procedures 

7.1. Bar Hill Community Association (the Charity) is a small charity holding just a tiny amount of 
non-sensitive data on a small number of people. 

7.2. The Trustees understand and accept their responsibility under the UK General Data 
Protection Regulation (UK-GDPR) to hold all personal data securely and use it only for 
legitimate purposes with the knowledge and approval of the data subjects. 

7.3. By the following operational policies and procedures, the Trustees undertake to uphold the 
principles and requirements of the UK-GDPR in a manner which is proportionate to the 
nature of the personal data being held by the Charity. The policies are based on the 
Trustees' assessment, in good faith, of the potential impacts on the Charity and its data 
subjects of the personal data held by the Charity being stolen, abused, corrupted or lost. 


Personnel 
8.1. Data Protection Officer 
8.1.1. In the considered opinion of the Trustees, given the scope and nature of the 


personal data held by the Charity is not sufficient to warrant the appointment of a Data 
Protection Officer as a specific role 


8.1.2. However, it may sometimes become necessary for Trustees to seek specific advice 
related to data protection. At that time, at the discretion of the Chair or based on a 
formal request in a board meeting, a nominated Data Protection officer will be appointed 
as an advisor 

8.2. Data Controller 
8.2.1. The Board of Trustees is the Data Controller for the Charity. 
8.3. Data Processor 

8.3.1. The Board of Trustees will appoint at least one and not more than 5 of its number, 

or other appropriate persons, to be the Data Processors for the Charity. 
8.4. Access to Data 

8.4.1. Except where necessary to pursue the legitimate purposes of the Charity, only the 

Data Processors shall have access to the personal data held by the Charity. 
8.5. Training 

8.5.1. The Board of Trustees and Data Processors will periodically undergo appropriate 
training commensurate with the scale and nature of the personal data that the Charity 
holds and processes under the UK-GDPR as deemed necessary by the Trustees 

8.6. Collecting & Processing Personal Data 

8.6.1. The Charity collects various personal data commensurate with the variety of 
purposes for which the data are required to pursue its charitable objectives. 

8.6.2. All personal data will be collected, held and processed following the relevant Data 
Privacy Notice provided to data subjects as part of the data collection process. 

8.6.3. A Data Privacy Notice will be provided, or otherwise made accessible, to all 
persons on whom the Charity collects, holds and processes data covered by the UK- 
GDPR. The Data Privacy Notice provided to data subjects will detail the nature of the 
data being collected, the purpose(s) for which the data are being collected, and the 
subjects’ rights concerning the Charity's use of the data and other relevant information 
in compliance with the prevailing UK-GDPR requirements. 


9. Information Technology 
9.1. Data Protection by Design/Default 


9.1.1. Since: 

9.1.1.1 None of the Charity's volunteer Trustees are data protection professionals; 

9.1.1.2. it would be a disproportionate use of charitable funds to employ a data 
protection professional, given the scale and nature of the personal data held by the 
Charity; 

9.1.1.3. the Trustees will seek appropriate professional advice commensurate with its 
data protection requirement whenever: 

9.1.1.4, they are planning to make significant changes to how they process personal 
data; 


9.1.1.5 there is any national publicity about new risks (e.g. cyber attacks); 
9.1.1.6. any material changes to the UK-GDPR are proposed or have been made; 
Sale which might adversely compromise the Charity's legitimate processing of 
personal data covered by the UK-GDPR. 
9:1.2: Personal data will never be transmitted electronically (e.g. by e-mail) unless 
securely encrypted. 
9.2. Data Processing Equipment 


9.2.1. The scale and nature of the personal data held by the Charity is insufficient to 
justify the Charity purchasing dedicated computers for processing personal data. 
9.2.2. Instead, the Charity will purchase and own at least two and not more than five 


removable storage devices to store the personal data it holds and processes. 
The removable storage devices will also act as backup devices. 

9.2.3. Whilst the data will be processed on the computers/laptops to which the Data 
Processors have access, no personal data covered by the UK-GDPR will be stored on 
those computers/laptops. All interim working data transferred to such 
computers/laptops for processing will be deleted once processing has been completed. 


9.2.4. When not in use, the removable storage devices will be kept in a secure location 
and reasonably protected against accidental damage, loss, avoidable theft or other 
misuses by persons other than the Data Processors. 


9.2.5. The Data Controller & Data Processors will keep a register of 
925.4: the location of all removable devices used for the storage and processing of 
personal data; 
9.2.5.2. each occasion when the data on each device were accessed or modified and 
by whom. 
9.2.6. The Charity's removable storage devices shall not be used to store any data 


unrelated to the Charity's processing of personal data. 
9.3. Data Processing Location 

9.3.1. Data Processors shall only process the Charity's data in a secure location and not 
in any public place, e.g., locations where the data could be overlooked by others or the 
removable data storage devices would be susceptible to loss or theft. 

9.3.2. Computers/laptops used for data processing will not be left unattended at any 
time. 

9.4. Data Backups 

9.4.1. To protect against data loss by accidental corruption of the data or malfunction of a 
removable data storage device (including by physical damage), all the Charity's data 
shall be backed up periodically and whenever any significant changes (additions, 
amendments, deletions) are made to the data. 

9.4.2. Backup copies of the data shall be held in separate secure locations which are not 
susceptible to common risks (é.g., fire, flood, theft). 

9.4.3. As far as is reasonably practical, all files containing personal data covered by the 
UK-GDPR will be encrypted using NCH-Meo, Kaspersky Vault or other comparable 
software. 

9.4.3.1. The encryption keys will be held securely in a separate location from the data 
storage media. 
9.5. Obsolete or Dysfunctional Equipment (Disposal of Removable Storage Media) 

9.5.1. Equipment used to hold personal data, whether permanently or as interim working 
copies, which come to the end of their useful working life, or become dysfunctional, 
shall be disposed of in a manner which ensures that unauthorised persons cannot 
recover any residual personal data held on the equipment. 

9.5.2: Since: 

9.5.2:1. this will be a relatively infrequent occurrence; 

9:5.2:2. techniques for data recovery and destruction are constantly evolving; 

9.5.2.3. none of the Trustees have relevant up-to-date expert knowledge of data 
cleansing; 

9.5.2.4. Equipment which becomes obsolete or dysfunctional shall not be disposed of 
immediately. Instead, it will be stored securely while up-to-date expert advice on 


the most appropriate data cleansing and disposal methods can be sought and 
implemented. 


10. Data Subjects 
10.1. The Rights of Data Subjects 
10.1.1. In compliance with the UK-GDPR, the Charity will give data subjects the following 

rights. 
These rights will be made clear in the relevant Data Privacy Notice provided to data 
subjects: 

10.1.1.1. the right to be informed; 

10.1.1.2. the right of access; 

10.1.1.3. the right to rectification; 

10.1.1.4. the right of erasure {LO}, also referred to as "The right to be forgotten." 

10.1.1.5. the right to restrict processing; 

10.1.1.6. the right to data portability; {LO} {Li} 


10.1.1.7. the right to object; {SC} {Co} {LO} 
10.1.1.8. | the right not to be subjected to automated decision-making, including 
profiling. 

10.1.2. The above rights are not available to data subjects when the legal basis on which 
the Charity is holding & processing their data are: {SC} Subject Consent; {Co} 
Contractual obligationf{LO} Legal Obligation {L/} Legitimate Interest 

10.2. Rights of Access, Rectification and Erasure 

10.2.1. Data subjects will be informed of their right to access and request that any errors or 
omissions be corrected promptly. 

10.2.2. Such access shall be given, and the correction of errors or omissions shall be made 
free of charge, provided such requests are reasonable, not trivial or vexatious. 

There is no prescribed format for making such requests provided that: 

10.2.3. the request is made in writing, signed & dated by the data subject (or their legal 
representative); 

10.2.4. the data claimed to be in error, or missing are clearly and unambiguously identified; 

10.2.5. the corrected or added data are precise and declared by the subject to be 
complete and accurate. 

10.2.6. — It will be explained to subjects which make a request to access their data and/or to 
have errors or omissions corrected, or that their data be erased, that, while their 
requests will be actioned as soon as is practical, there may be delays where the 
appropriate volunteers or staff to deal with the request do not work on every typical 
weekday. 

10.2.7. Where a data subject requests that their data be rectified or erased, the Data 
Controller and Data Processor will ensure that the rectifications or erasure will be 
applied to all copies of the subject's data, including those copies which are in the hands 
of a Third Party for authorised data processing. 

10.3. Right of Portability 

10.3.1. | The Charity will only provide copies of personal data to the subject (or the subject's 
legal representative) upon written request. 

10.3.2. |The Charity reserves the right to either: 

10.3.2.1. | Decline requests for portable copies of the subject's data when such 
requests are unreasonable (i.e., persistent) or vexatious; or 
10.3.2.2.. make a reasonable charge for providing the copy. 
10.4. Data Retention Policy 

10.4.1. | Personal data shall not be retained for longer than: 

10.4.2. In the case of data held by subject consent: 
the period for which the subject consented to the Charity holding their data; 

10.4.3. in the case of data held by legitimate interest of the Charity: 

10.4.3.1. | The period for which that legitimate interest applies. For example: in the 
case of data subjects who held a role, such as a volunteer, with the Charity, the 
retention period is that for which the Charity reasonably has a legitimate interest in 
being able to identify that individual's role in the event of any retrospective query 
about it; 

10.4.3.2. In the case of data held by legal obligation: the period for which the Charity is 
legally obliged to retain those data. 

10.4.4. | The Charity shall regularly — not less than every six months — review the personal 
data it holds and remove any data where retention is no longer justified. Such removal 
shall be made as soon as is reasonably practical, and in any case, no longer than 20 
working days (of the relevant Data Processor) after retention of the data was identified 
as no longer justified. 


11. Privacy Impact Assessment 
711.1. Trustees' Data 
11.1.1. The volume of personal data is very low — less than 15 individuals 
The sensitivity of the data is low-moderate: the most sensitive data being the date of 


birth, previous names and previous addresses; 
The risk of a data breach is small as the data are rarely used, with most of the data 
being held for a combination of legal obligation and legitimate interest. 

11.1.2. Overall impact: LOW 

11.2. Volunteers’/Members’ Data 

11.2.1. The volume of personal data is low — less than 100 individuals 
The sensitivity of the data is low: the most sensitive data being an e-mail address; 

The risk of a data breach is small — primarily the accidental disclosure of names & e-mail 
addresses. 

11.2.2. Overall impact: LOW 

11.3. Supporters' & Enquirers' Data 

11.3.1. | The volume of personal data is low-moderate. 

11.3.2. The sensitivity of the data is low: the most sensitive data being an e-mail address; 
The risk of a data breach is small — primarily the accidental disclosure of names & e-mail 
addresses. 

11.3.3. Overall impact: LOW 


12. Third-Party Access to Data 


13. 


14. 


12.1. Under no circumstance will the Charity share with, sell or otherwise make available to 
Third Parties any personal data except where it is necessary and unavoidable to do so in 
pursuit of its charitable objects as authorised by the Data Controller. 

12.2. Whenever possible, data subjects will be informed of the necessity to share their data 
with a Third Party in pursuit of the Charity's objectives. 

12.3. Before sharing personal data with a Third Party, the Charity will take all reasonable steps 
to verify that the Third Party is compliant with the provisions of the UK-GDPR and confirmed 
in a written contract. The contract will specify that: 

12.4. The Charity is the owner of the data; 

12.5. The Third Party will hold and process all data shared with it exclusively as specified by 
the instructions of the Data Controller; 

12.6. The Third Party will not use the data for its purposes; 

12.7. The Third Party will adopt prevailing industry standard best practices to ensure that the 
data are held securely and protected from theft, corruption or loss; 

12.8. The Third Party will be responsible for the consequences of any theft, breach, corruption 
or loss of the Charity's data (including any fines or other penalties imposed by the 
Information Commissioner's Office) unless such theft, breach, corruption or loss was a direct 
and unavoidable consequence of the Third Party complying with the data processing 
instructions of the Data Controller 

12.9. The Third Party will not share the data or the results of any analysis or other processing 
of the data with any other party without the explicit written permission of the Data Controller; 

12.10. The Third Party will securely delete all data that it holds on behalf of the Charity once the 
purpose of processing the data has been accomplished. 

12.11. The Charity does not, and will not, transfer personal data out of the UK. 


Data Breach 

13.1. If any data breach comes to the Data Controller's attention, the Trustees will immediately 
notify the Information Commission's Office. 

13.2. If full details of the nature and consequences of the data breach are not immediately 
accessible (e.g., because Data Processors do not work on every typical weekday), the 
Trustees will bring that to the attention of the Information Commissioner's Office and 
undertake to forward the relevant information as soon as it becomes available. 


Privacy Policy & Privacy Notices 

14.1. The Charity will have a Privacy Policy and appropriate Privacy Notices, which it will make 
available to everyone it holds and processes personal data, following Error! Reference s 
ource not found.. 


14.2. Inthe case of data obtained directly from the subject, the Privacy Notice will be provided 
when the data are obtained. 

14.3. In the case that the data are not obtained directly from the data subject, the Privacy 
Notice will be provided within a reasonable period of the Charity having obtained the data 
(within one month) or, 

If the data are used to communicate with the data subject, at the latest, when the first 
communication takes place; or 
If disclosure to another recipient is envisaged, at the latest, before the data are disclosed. 


APPENDIX A: Change Log 


Version Date Notes 
0.1 (Draft) 22-Nov-2022 First draft for review 
1.0 (Approved) 13-Dec-2022 Approved in monthly meeting 


Draft. For review at a Trustees meeting (using a decimal point as a draft version). When Trustees 
approve a revision, the following whole number is the approved document version. 

For example, 1.1 (Draft) becomes 2.0 (Approved). 

Approved. Trustees have reviewed and approved the document on the date specified. 
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